The present invention generally relates to technology for dealing with soft errors of encryption/decryption means in information household appliances or computers, and in particular relates to technology for dealing with soft errors of encryption/decryption means in computer systems or storage systems demanded of highest reliability.
Today, pursuant to the formulation of the Sarbanes-Oxley Act that sets forth the reinforcement of internal control of corporations, companies must protect and manage vast volumes of document data to data centers. A data center is configured from a storage system for storing data in HDDs (Hard Disk Drives) or magnetic tape devices in order to collectively retain large volumes of data.
Since this kind of storage system retains data such as book data and the like of companies which must not be lost, it is demanded of higher reliability in comparison to a personal-use computer system. Opportunities of data loss in a storage system can be classified into opportunities of data loss caused by a hard error, which is a physical malfunction, and opportunities of data loss caused by a temporary error (soft error).
A hard error, as described above, is an error requiring the repair or replacement of a physical element such as when there is a malfunction of a HDD or a magnetic tape, or a microprocessor that controls the data storage processing in the storage system. Meanwhile, a soft error is an error that arises as a result of noise generating particles such as radioactive rays, cosmic rays, alpha waves or neutron rays discharged from radioactive substances contained in the microprocessor causing defective performance of hardware without destroying such hardware. In recent years, defective performance caused by soft errors is becoming prominent due to the deterioration in the operating voltage or increase in the clock frequency of LSI caused by the high integration of hardware.
Conventional highly-reliable systems have protected the hardware from defective performance caused by soft errors based on a protection method of using devices that have high soft error resistance, a protection method based on multiplexing and majority of the same processing circuit as shown in Japanese Patent Application No. 8-344042 (“Patent Document 1”), and a protection method based on a parity bit check as shown in Japanese Patent Laid-Open Publication No. 2007-179450 (“Patent Document 2”).
The protection method based on multiplexing and majority described in Patent Document 1 is, specifically, a method of detecting and correcting an error by making redundant a plurality of circuits having the same function, and deciding the majority among data that are output from the plurality of redundant circuits.
In addition, the protection method described in Patent Document 2 is a parity bit checking method of retaining parity created from data in an area that is separate from such data in the memory elements and detecting an error between the parity created from the data and the retained parity upon reading the data, or a method of correcting the error based on ECC (Error Checking and Correct), and not according to the parity bit.
Here, parity refers to a value retaining the parity of the given data. For instance, if 4-bit data of “1001” is given, the odd parity will be “1” calculated based on (1^0^0^1), and the even parity will be “0” calculated based on (1^0^0^1). When using parity, it is necessary to designate whether to use odd parity or even parity in the sending side (side retaining parity) and the receiving side (side checking parity), and the data unit for performing parity operation.
As one topic concerning the storage system, there is the problem of information leakage caused by the theft of HDDs. Encrypting the data stored in the HDD is one method of preventing such information leakage caused by the theft of HDDs.
Block cipher is widely used for encrypting the data stored in HDDs. Block cipher is a symmetric key cipher method that partitions data into block data of a fixed length, encrypts such block data in block units with a key or IV (Initial Vector), and outputs the encrypted data of the same length. As of 2007, AES (Advanced Encryption Standard) described in FIPS 197 Announcing the ADVANCED ENCRYPTION STANDARD (AES) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf (Non-Patent Document 1) is the substantial global standard.
AES is an block cipher algorithm having a spin structure (SPN structure) that sets the block unit size to 128 bits, and repeats cipher processing (substitution) and transposition processing (permutation) to the block units in processing units referred to as a round. In addition, AES is also a block cipher algorithm that performs data conversion in each round and 8-bit units using a 16×16 table known as an S-box.
AES has a high processing load and much time is required until the processing is completed due to the repeated processing of data according to the spin structure described above and the S-box conversion processing in 8-bit units. When loading the AES function in a storage system demanded of fast data transfer performance, deterioration in the processing throughput and occurrence of processing latency caused by the foregoing AES processing are problems that should be avoided, and in order to lower the costs, the AES function is generally mounted as hardware such as a microprocessor for controlling the data storage.
In addition, when mounting the AES function as hardware, there are cases where, in order to improve the AES processing throughput, 16 S-boxes are prepared to perform processing in 128 bits rather than preparing just 1 S-box and performing processing in 8 bits. Moreover, when high speed processing performance is demanded, each round processing may be designed independently, and a pipeline architecture that connections such rounds may be used to improve the AES processing throughput.
In order to improve the soft error resistance of an AES circuit mounted as hardware such as a microprocessor in a storage system, conventionally, the method described in Patent Document 1 was used to multiplex the overall AES circuit, and detect and correct the error by taking a majority among the results output from a plurality of AES circuits, or the method described in Patent Document 2 was used to retain parity created from the result output from the AES operation execution logic in a latch circuit separately from storing the result output from the AES operation execution logic in a latch circuit that is separate from the foregoing latch circuit, and detect and correct the error by comparing the parity created from the result and the separately retained result parity upon reading the result from the latch circuit.
Nevertheless, with the AES circuit protection method employing the method described in Patent Document 1, the circuit size will become enlarged since a plurality of AES circuits are mounted. As described above, enlargement of the circuit size will be significant in the design of preparing S-boxes for 16 circuits or in the design based on a pipeline architecture. Not only will the enlargement of the circuit size lead to increased hardware costs, it also entails a problem of preventing other functions from being incorporated into the microprocessor.
In addition, since AES is operated at 128-bit units, the data protection strength based on the AES circuit protection employing the method described in Patent Document 1 can be 128 bits. Here, for example, if the soft error rate is at a level of causing an error in only 1 bit among the 8 bits, it would suffice to detect errors in 8-bit units without protecting all bits, and the method of Patent Document 1 will be a case of overspecification. Meanwhile, the AES circuit protection method employing the method described in Patent Document 2 is not able to deal with soft errors arising in the AES operation execution logic.